Project

General

Profile

Bug #532

repo dbs not signed

icarious - over 5 years ago - .

Status:
open
Priority:
critical
Assignee:
-
% Done:

0%


Description

After checking every repository, I couldn't find a repo.db.sig file in the repositories. running pacman+WGET reports a 404 Not Found. Pacman ignores this error and can only be seen using WGET. After checking upstream Arch's repositories it seems like this is inherited from Arch. It will be nice if we could sign our repo dbs, as mtjm pointed out nicely that an attacker can fake packages being old or missing, preventing the system from getting a security update.

Also available in: Atom PDF